Citi Ups Number of Compromised Accounts from Cyber Attack to 360,000

Citigroup on Wednesday night said a cyber attack in May affected 360,083 of its customers, almost twice the initial number of customers originally reported.

Additionally, more details have emerged on the incident since Citi disclosed the attack, suggesting that attackers used a rather unsophisticated method to siphon data out from Citi’s online banking system.

According to the New York Times, “The data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.”

This type of attack appears to be similar in scope to other Web application attacks, including an incident when a security hole in AT&T’s Web site had exposed the email addresses of some iPad owners including Government and Military officials shortly after the product launch in 2010. In that incident, a hacker group claimed to have exploited the AT&T Web site using part of an HTTP request, triggering a script which would return the associated email address using an AJAX-style response within the Web application.

According to SecurityWeek contributor Mandeep Khera, we are in the midst of an application security crisis. “Security issues in applications have been around for decades. Hackers have been exploiting vulnerabilities and attacking and stealing information for many years,” Khera writes in his most recent column. “It’s gotten much worse in the recent years because more and more transactions are being done through websites -- low-hanging fruit for hackers to exploit Web vulnerabilities. Traditionally, schools have never done a good job of teaching students how to do secure coding. They were taught to avoid basic software defects but not worry about security. It’s only in the recent years that some universities have started to emphasize secure coding in their computer science curriculum.”

According to a statement from Citi, on May 10, a compromise to Citi Account Online that impacted roughly one percent of North America Citi-branded credit card accounts was discovered as part of routine monitoring and immediately rectified. While Citi Cards' Account Online system was compromised, the main cards processing system was not. Other Citi consumer banking online systems were not accessed or compromise, the company said.

On May 24th, following an investigation and review of data, the bank confirmed the full extent of information accessed on 360,069 accounts.

Citi said that customers' account information including name, account number and contact information, including email address was accessed, but that data critical to commit fraud was not compromised: customers' social security number, date of birth, card expiration date and card security code (CVV).

• A total of 360,083 North America Citi-branded credit cards were affected. Only accounts issued in the U.S. were impacted.

• 217,657 accounts were reissued credit cards along with a notification letter.

• Some accounts were not re-issued credit cards if the account is closed or has already received new credit cards as a result of other card replacement practices.

Citi was also a victim of a data breach through a third party email provider as a result of the massive breach that occurred at Epsilon back in April.